If I assume that those two syslog servers are just two of a much larger number of forwarders that send data to indexers via an intermediary forwarder, then yes, that is exactly what I am saying. Make sure you have at least 2x intermediary forwarding pipelines. And note that those don't have to be individual servers (see here).
A given forwarder (intermediary or not), only talks to a single indexer at any given point in time (unless you have configured multiple forwarding pipelines). If you funnel - for example - 300 forwarders through a single intermediary forwarder, all events will go to a single indexer for however long it takes the intermediary to switch indexers. This will negatively affect event distribution across your indexing tier, which will negatively affect your search performance, especially for searches across recent time windows. This is because not all your indexers (=search peers) will participate relatively equally and in parallel in satisfying a search request.
The same will be true for the syslog data. The syslog servers are already a concentration point for events, given that a larger number of network devices and other systems feed there events to it. If you don't ensure via proper architecture and/or proper configuration that the forwarding data stream is (ideally) evenly spread across your available indexers, you will likely experience issues, either with less than ideal search performance and/or with premature data ageing due to some indexers having to index and store more data than others.
Small-ish differences in event counts are normal, but "sticky forwarders" that don't switch their indexer connections regularly, or not enough intermediary forwarders will cause issues that cannot be corrected easily once they manifest themselves.
I will go to great lengths with my customers to try and dissuade them from intermediary forwarding tiers for those reasons. There are use cases and requirements where you have no choice, but more often than not they are not really needed, can introduce a number of issues, create another point of failure and result in your Splunk configuration to be distributed between indexers and intermediaries, when you could have everything in one place.
So, if you need them: Have enough of them to not create a funnel that forces an event stream from potentially thousands of log source systems to go through a very small number of intermediary forwarders and ensure they are configured properly (forceTimebasedAutoLB=true, AutoLBFrequency= )
I hope that makes more sense now.
... View more